rsa decision tree wp 0711

THE RSA AUTHENTICATION DECISION TREE

Select the Best Authentication Solution for Your Business

White Paper

“What is the best authentication solution for my business?” This is a recurring question

being asked by organizations around the globe. With the number of new and emerging

security products being denoted by analysts as the “silver bullet” solution, it is critical to

recognize that there are many authentication choices available on the market. Before

making a final selection as to the authentication solution that will work best,

organizations must consider their user authentication needs, the threats targeting their

business, their business objectives and the regulatory guidelines that impact their

industry.

RSA has developed the Authentication Decision Tree – a comprehensive tool to help

organizations understand, evaluate and select the most appropriate authentication

solution to meet the needs of their users and their business. The RSA Authentication

Decision Tree provides a framework to help narrow the selection of authentication

solutions based on five critical factors. This white paper provides an overview of the

Authentication Decision Tree, examines the five factors critical to selecting an

authentication solution, and offers a clear guide to selecting the right solution that

effectively balances risk, cost and end user convenience.

The Need for Strong Authentication

Protecting access to information and assuring the identities of users requesting that

access is a core element of any security initiative. In the last few years, numerous

industry regulations have been issued that require organizations to enact strong

authentication security measures to protect against unauthorized access to information.

Today, as functionality and technology move to new channels, so do the threats that

target sensitive data – driving an increasing demand for strong authentication across the

organization.

The online and mobile channels. Recognizing the new business opportunities, cost

efficiencies and the customer service aspects associated with providing real-time access

to information online, many organizations are offering an increasing number of Web-

based customer portals and business applications that enable customers to access and

manage their accounts 24/7. Mobile access – smart phones in particular – provide

customers with similar access and often offer even more functionality through

customized applications.

Remote and mobile access. The global nature of business and employee mobility has

forced many organizations to provide around-the-clock access from multiple locations

and multiple devices – including mobile – to enable employee productivity.

Access for new user populations. Today’s organizations are extending access privileges

beyond the employee to external contractors, partners and suppliers. These new user

populations require on-demand access to proprietary information such as sales forecasts,

competitive intelligence, pricing charts, inventory, and customer data.

The State of User Authentication

Despite the fact that “password-only” authentication is recognized for providing relatively

weak security, the use of a single password as a means of assuring user identities

continues to dominate. However, the authentication method once viewed as “free”

has actually become expensive in terms of ongoing management and support costs.

According to the Help Desk Institute, roughly 30 percent of all help desk calls are for

password resets – and cost between $25 to $50 per call.

New authentication methods continue to appear on the market making the selection even

more challenging for organizations looking to implement a strong authentication strategy.

In the enterprise, hardware authenticators still dominate for securing access to corporate

resources. Yet, employee mobility and the use of mobile phones and PDAs have caused

an increase in demand for software authenticators. For consumer-facing portals, risk-

based authentication and knowledge-based authentication are common security

mechanisms because of their ease-of-use and their scalability to a mass user base.

With so many authentication options available on the market, organizations are finding it

difficult to establish an authentication strategy. For many organizations, multiple

authentication options can be selected based on factors such as the user population, the

value of information being protected, portability and user experience. RSA developed the

Authentication Decision Tree to help organizations weigh the assorted options objectively

and align the needs of their users and their business to make the optimum choice.

Critical Factors to Consider in Developing an Authentication Strategy

There are five critical factors to consider in developing an appropriate authentication

strategy. These five factors are:

– The value of the information being protected

– The strength of user authentication to apply

– Planned usage

– Needs of the end user population

– Technical environment

The value of protected information

The first factor to consider is the value of the information to be protected and the cost of

unauthorized access to that information. Proprietary business data, bank account and

credit card details, health records or personally identifiable information (PII) are all types

of information that could be considered high value. And unauthorized access to that

information could be costly (i.e., a bank having to assume the costs of unauthorized fund

transfers for customers) and detrimental to a company’s brand and reputation. The

higher the value of the information is and the higher the risk to the organization if the

data is accessed by an unauthorized user, the stronger the authentication solution that is

needed to protect it.

The strength of user authentication to apply

Considering the user population and the information being accessed by those users can

help organizations determine the level of user authentication to apply. For example,

organizations cannot force authentication on their customers so considerations in

selecting a solution for this user base might be convenience and willingness to adopt.

For employees and partners, however, organizations have more control over the types of

authentication to deploy and will more likely consider features such as portability, total

cost of ownership and overall management.

Planned usage

When organizations deploy an authentication solution, there is often more than one

business objective to be met. In other words, depending on the user and the types of

activities performed, an organization might determine that additional layers of

authentication are needed beyond just assuring user identities. For example, a financial

institution seeking to decrease their fraud losses might implement a transaction

monitoring solution to monitor high-risk money transfers. Another example to consider

would be for enterprise users. An organization might require certain users that work with

and exchange highly sensitive information – such as HR, payroll and finance – to have an

authentication solution that enables file and e-mail encryption.

End user population

When deploying authentication to an end user community, there are many factors to

consider depending on the end user population. From the user’s perspective,

organizations must consider aspects such as ease-of-use, the user’s willingness to adopt

and the information the user will be accessing. From the organization’s perspective,

consideration must include total cost of ownership, training requirements, scalability to

end users and mobility of the solution.

Technical environment

Finally, the technical environment where the solution will be deployed is important in

helping to determine such factors as what level of authentication strength to apply. For

example, in an environment where desktops are more controlled and anti-virus software

is likely to be up-to-date, security requirements may not be as rigorous compared to a

scenario where the user environment is not as controlled and a large percentage of the

user population is accessing the network from remote locations around the world.

Another technical consideration is the range of end user devices being used for access.

For both corporate and customer-facing applications, the end user base is likely to be

accessing information from devices ranging from laptops and desktops to PDAs and

mobile phones to kiosks. The types of access devices are important in determining the

authentication form factors offered to end users.

Today, many organizations regularly issue smart phones (i.e., iPhone, Android, or

Blackberry) that enable access to corporate email. This relatively new aspect of mobility –

often referred to as “the consumerization of IT” – increases employee productivity and

flexibility. These benefits, coupled with the increasing functionality and power of new

devices are fueling the drive for the use of consumer devices for business use. But this

trend also introduces many issues and questions for the organization, including how to

manage the costs of ongoing IT support for the exploding variety of devices, where to

draw the line for that support, and how to manage the growing security threats

introduced by mobility.

The Authentication Decision Tree

In light of the number of new authentication methods and technologies, the increasing

value of information, new user populations requiring access to networks and applications,

the proliferation of advanced threats and a complex regulatory environment,

organizations are being driven to re-evaluate their existing authentication strategy.

There are many existing authentication solutions to evaluate and market buzz about

certain authentication technologies make the assessment difficult for many

organizations. Biometric solutions, for example, enjoy a disproportionate share of media

coverage compared to their actual deployment in the market. These solutions require

expensive and cumbersome readers, making it an impractical solution for mobile or

remote access or adoption by a mass consumer audience.

The RSA Authentication Decision Tree was designed for organizations to evaluate their

user and business needs objectively against the readily available authentication

technologies on the market in order to ease the decision-making process. As the market

has yet to come up with a universal solution that will meet every business requirement

and address the security needs for all users and all scenarios, the RSA Authentication

Decision Tree can be used to help organizations select the most appropriate

authentication solution, or combination of solutions, while balancing risk, cost and end

user convenience.

How to Use the Authentication Decision Tree

In determining what solution(s) will work best for an organization, the RSA Authentication

Tree examines the following criteria:

– Control over the end user environment

– Access methods to be used

– Requirements of access across multiple locations or devices

– The need for disk, file or e-mail encryption

– Fraud prevention

– Size of the end user base

Control over the end user environment

Control over the end user environment is critical in determining the appropriate

authentication method.

Considerations include things such as whether the organization is allowed to install

software on the end user’s system or consumer device, and whether they can dictate the

operating system platform an end user is required to work on.

But why is this so important? Looking at something as simple as being able to control the

operating system is important because not all authentication solutions are going to be

compatible with all operating systems universally. In an enterprise environment, the

organization has direct control over the operating systems on user devices. However,

there is no control over the operating systems of external users, such as customers and

partners, so the authentication method offered to these populations may be different.

Access methods to be used

Access methods are very important in determining an authentication strategy. Some

authentication methods only work for accessing Web-based applications while others can

be used to authenticate to multiple, non-Web based applications. Therefore, taking into

account the user, their access rights, and their planned usage will have a direct effect on

the authentication methods selected.

Requirements of access across multiple locations or devices

The global nature of business and increased employee mobility has created a demand for

around-the-clock access from multiple locations and multiple devices – including mobile

devices. For employees or partners, providing the option of anytime, anywhere access is

critical to sustaining productivity; for customers, it is important for maintaining customer

satisfaction. Above all, providing the anywhere, anytime option for users to access

information securely is critical to the continuation of business.

Factors to weigh include:

– Do you need to accommodate user access from varying remote locations?

– Do you need to accommodate user access from unknown systems such as kiosks, hotel

systems or shared workstations?

– Do you need to accommodate user access from varying devices such as PDAs, mobile

phones, or other consumer devices (i.e., tablets)?

The need for disk, file or e-mail encryption

When evaluating an authentication strategy, organizations should consider the other

business purposes that it may want the authentication method to address. For example,

a healthcare organization might have the need to encrypt protected health information

(PHI) or other personally identifiable information (PII) of a patient as it is transmitted

between departments and facilities in order to meet HIPAA regulations. In this instance,

the healthcare organization might require individuals with access rights to PHI and PII to

access the data only from trusted machines.

Fraud prevention

Some authentication methods are required to monitor transactions and activities that are

performed by a user after initial authentication at login in order to prevent fraud. While

this scenario is relevant primarily for financial services applications, other industries are

beginning to experience targeted attacks, such as phishing and malware, by

cybercriminals for the purpose of gaining deeper access to a company’s infrastructure to

collect personal and/or proprietary corporate data that can be sold on the black market.

Size of the end user base

The size of the end user base being protected is important as cost is often one of the

biggest considerations – especially for small to mid-sized businesses. Several

authentication solutions are designed – and priced - specifically for a very small or

very large user base.

A Myriad of Authentication Possibilities

Passwords

Passwords provide single-factor authentication for assuring user identities. While initial

acquisition is free, there are ongoing management and support costs (password resets,

for example) which can wind up being expensive in the long-term. The level of security

provided is very low and passwords are prone to hackers and sharing among individuals.

Knowledge-based authentication

Knowledge-based authentication is a method used to authenticate an individual based

on knowledge of personal information, substantiated by a real-time interactive question-

and-answer process. The questions presented to a user are gleaned from scanning public

record databases, are random and previously unknown or unasked to the user.

Risk-based authentication

Risk-based authentication is a system that measures – behind-the-scenes – a series of

risk indicators to assure user identities and/or authenticate online activities. Such

indicators include certain device attributes, user behavioral profiles, device profiles and

IP geo-location. The higher the risk level presented, the greater the likelihood is that an

identity or action is fraudulent. If the risk engine determines the authentication request

to be above the acceptable policy, then risk-based authentication provides the option to

“step-up” authentication. In a step-up authentication scenario, a user may be asked to

answer a few challenge questions, or submit an authorization code delivered to a phone

via SMS (text) message or e-mail.

One-time password authentication

One-time password (OTP) authentication is a leading two-factor authentication solution;

it is based on something you know (a PIN or password) and something you have (an

authenticator). The authenticator generates a new OTP code every 60 seconds, making it

difficult for anyone other than the genuine user to input the correct code at any given time.

To access information or resources protected by one-time password technology, users

simply combine their secret personal identification number (PIN) with the token code that

appears on their authenticator display at that given time. The result is a unique, one-time

password that is used to assure – positively – a user’s identity.

One-time password technology is available in many form factors including:

– Hardware authenticators. Traditional hardware authenticators (sometimes referred to as

“key fobs”) are portable devices that are small enough to fit on a key chain and meet the

needs of users who prefer a tangible solution or who access the Internet from a number

of different locations.

– Software authenticators. Software authenticators (for PCs, USB drives, or mobile

devices) are typically offered as an application or in a toolbar format that is securely

placed on a user’s desktop, laptop or mobile device.

– On-demand. On-demand authentication involves delivery of a unique OTP “on demand”

via SMS (text message) to a mobile device or a user’s registered e-mail address. Upon

receipt of the unique OTP, a user simply enters it, along with their PIN when challenged,

to gain access to their corporate network or an online application.

Digital certificates

A digital certificate is a unique electronic document containing information that identifies

the person or machine to which it is bound. The digital certificate can be stored on a

desktop, smart card or USB. For stronger two-factor authentication, the digital certificate

can be locked on a smart card or USB, requiring the user to enter a PIN in order to unlock

the certificate and use the credential. The digital certificate can then be utilized to

authenticate a user to a network or application. In addition to being used for user

authentication, digital certificates can add value to the enterprise by enabling digital

signatures or e-mail encryption.

Digital certificates can also be combined with OTP deployments using a hybrid

authenticator. In this case, the hybrid authenticator stores multiple credentials and

streamlines the end user experience. A common use case for a combined certificate and

OTP deployment is to unlock hard disk encryption with a digital certificate followed by

authentication to a VPN with a one-time password.

Analyzing the Authentication Attributes

Once an organization assesses the needs of its business and its users, selecting the

appropriate authentication strategy based on the available choices ultimately is a

tradeoff among a number of variables:

1. Strength of security

2. Typical use case

3. Client-side requirements

4. Portability

5. Multiple use

6. User challenges

7. Distribution requirements

8. System requirements

9. Cost

The RSA Authentication Decision Tree can help organizations make the relevant

comparisons among the authentication methods that are designed to meet their

requirements. By using this simple framework, organizations are provided with an

objective assessment among the leading authentication solutions.

While cost is an important consideration, organizations must consider a number of

other elements in determining what is most suitable to their needs. Too often, the focus

is on acquisition cost alone, but in considering that as a priority factor, one only needs

to look to password-only authentication to prove that cost should never be the only

consideration. Passwords are essentially “free” in terms of acquisition cost; however,

they are surprisingly expensive in terms of ongoing management and support costs.

RSA Solutions

For more than 25 years, RSA has been a leading provider of strong two-factor

authentication solutions. RSA offers a variety of solutions to help businesses of all sizes

provide strong authentication while balancing risk, cost and end user convenience.

RSA SecurID® Authentication

RSA SecurID® one-time password technology provides a leading two-factor authentication

solution; it is based on something you know (a PIN or password) and something you have

(an authenticator). The authenticator itself can be one of a variety of formats, or form

factors, which are described later in this section. RSA SecurID authentication offers a

unique symmetric key (or “seed record”) that is combined with a proven algorithm to

generate a new onetime password (OTP) every 60 seconds. Patented technology

synchronizes each authenticator with the security server, ensuring a high level of security.

To access resources that are protected by the RSA SecurID system, users simply combine

their secret Personal Identification Number (PIN) with the token code that appears on

their authenticator display at that given time. The result is a unique, one-time password

that is used to assure a user’s identity positively. RSA SecurID authentication is available

in the following form factors to meet the needs of organizations and their users:

Hardware Authenticators

From a usability perspective, traditional hardware authenticators (sometimes referred to

as “key fobs”) are small enough to fit on a key chain and meet the needs of users who

prefer a tangible solution or access the Internet from a number of different locations.

Hybrid Authenticator with Digital Certificates

The RSA SecurID 800 authenticator is a hybrid device that combines the simplicity and

portability of SecurID authentication with the power and flexibility of a smart card in one

convenient USB form factor. The 800 offers standards-compliant digital certificate support

for disk and file encryption, authentication, signing and other applications and

strengthens simple password authentication by storing users’ domain credentials on a

hardened security device. By combining multiple credentials and applications in a single

device, the 800 is a master key that enables strong authentication across a

heterogeneous IT environment in a way that is both simple and seamless for the end user.

An Authentication Decision Tree Scenario

Company profile A large healthcare organization representing several

regional hospitals and specialty health centers that

serves more than 1.5 million patients.

User groups Physicians, payers and insurers, patients and

healthcare administrators

Business and user needs Physicians are constantly on the go, moving among

multiple facilities, and stay connected to healthcare

and patient records through a laptop, Blackberry or

other mobile device. This enables instant, secure

access to pertinent health records to ensure the highest

quality of patient care.

Payers and insurers need access to patient records,

medical history and services performed in order to

settle or adjust claims.

Healthcare administrators are always in need of

access to protected health information and personally

identifiable information (PII) of patients. From case

workers to billing specialists, access to patient

information is critical to their job performance.

Patients are provided access to their personal

information and medical history through a Web-

enabled portal. In addition to making updates to their

personal information, they are provided a number of

other convenient online services such

as the ability to schedule appointments, submit

prescription renewal requests and pay medical bills.

Authentication choices With a diverse user base that requires access to

various systems and for different needs, this

healthcare organization would likely need to consider

a myriad of authentication solutions including:

– Physicians: Software-based OTP for mobile devices

– Payers and insurers: Hardware tokens

– Healthcare administrators: Hardware tokens

– Patients: Risk-based authentication

Software Authenticators

RSA SecurID software authenticators use the same algorithm as RSA SecurID hardware

authenticators – but provide an added benefit for mobile users by eliminating the need for

users to carry dedicated hardware devices. Instead of being stored in SecurID hardware, the

symmetric key is safeguarded securely on the user’s PC, smart phone or USB device.

Mobile Devices

RSA SecurID software authenticators are available for a variety of smart phone platforms

including BlackBerry®, iPhone, Android, Microsoft Windows® Mobile, Java™ ME, Palm OS,

Symbian OS and UIQ devices.

Microsoft Windows® Desktops

The RSA SecurID Token for Windows Desktops is a convenient form factor that resides on

a PC and enables automatic integration with leading remote access clients.

OTP Token Toolbar

The RSA SecurID Toolbar Token combines the convenience of auto-fill capabilities for Web

applications with the security of anti-phishing mechanisms.

On-demand (delivered via SMS or e-mail)

RSA On-demand Authentication delivers a unique one-time password “on demand” via

SMS (text message) to a mobile device or a user’s registered e-mail address. Upon receipt

of the unique OTP, a user simply enters it, along with their PIN when challenged, to gain

access to their corporate network or an online application.

RSA® Authentication Manager Express

RSA® Authentication Manager Express is a strong multi-factor authentication platform that

provides cost-effective protection for small- to mid-sized organizations. Authentication

Manager Express works with leading SSL VPNs and Web-based applications to enable

strong authentication and secure access to protected applications and data.

Authentication Manager Express is powered by RSA risk-based authentication technology

– the same technology that protects the identities of more than 250 million users

worldwide. This sophisticated system measures a series of risk indicators behind-the-

scenes to assure user identities. RSA Authentication Manager Express considers multiple

factors in determining the risk associated with each access request including:

– Something the user knows such as a username and password

– Something the user has such as a laptop, desktop PC, or mobile device

– Something the user does such as recent authentication and account activity

RSA Authentication Manager Express can invoke additional authentication methods in

the event an access request does not meet the required assurance level. This is

especially true in situations where a remote user is logging in from a device that is not

recognized and has not been previously used to access the network. RSA Authentication

Manager Express provides two methods for additional authentication: out-of-band SMS

and challenge questions.

RSA Authentication Manager Express is delivered on a plug-and-play appliance and

supports up to 2,500 users.

RSA® Adaptive Authentication

RSA® Adaptive Authentication is a multi-channel authentication and fraud detection

platform that provides cost-effective protection for an entire user base. Adaptive

Authentication involves introducing additional identifiers actively with the simple

addition of a cookie and/or a flash shared object (also referred to as “flash cookie”)

which serves as a more unique identifier of a user’s device. The solution provides strong

and convenient protection by monitoring and authenticating user activities based on risk

levels, institutional policies and user segmentation. Powered by RSA’s risk-based

authentication technology, Adaptive Authentication tracks over one hundred indicators to

identify potential fraud including device profiles, IP geo-location and user behavioral

profiles. Each activity is assigned a unique risk score; the higher the score, the greater

the likelihood is that an activity is fraudulent.

Adaptive Authentication offers behind-the-scenes monitoring that is invisible to the user.

It is only when an activity is deemed to be high-risk that a user is then challenged to

provide additional authentication, usually in the form of challenge questions or out-of-

band phone authentication. With low challenge rates and high completion rates,

Adaptive Authentication offers strong protection and superior usability and is an ideal

solution for deployment to a large user base.

RSA Adaptive Authentication is available in both SaaS (software as a service) and

on-premise deployments. The solution is highly scalable and can support millions of

users.

RSA® Identity Verification

RSA Identity Verification utilizes knowledge-based authentication to assure user

identities in real-time. RSA Identity Verification presents a user with a series of “top-of-

mind” questions utilizing information on the individual that is obtained by scanning

dozens of public record databases. Within seconds, RSA Identity Verification delivers a

confirmation of identity, without requiring any prior relationship with the user.

RSA Identity Verification also provides improved accuracy in authenticating users with

the Identity Event Module. The Identity Event Module improves security by measuring the

level of risk associated with an identity and allowing the configuration of the system to

adjust the difficulty of the questions automatically during the authentication process in

order to meet the specific nature of the risk. Some of the identity events that are

measured include:

– Public record searches. Suspicious access to a user’s public record reports.

– Identity velocity. A high volume of activity associated with an individual at several

businesses.

– IP velocity. Multiple authentication requests generated from the same IP.

RSA® Certificate Manager

The RSA® Certificate Manager is an Internet-based certificate authority solution that

provides core functionality for issuing, managing and validating digital certificates. It

includes a secure Web server and a powerful signing engine for signing end user

certificates digitally, and an integrated data repository for storing certificates, system

data and certificate status information. The RSA Certificate Manager was the first to be

common criteria certified and is also Identrust certified.

Certificate Manager is built using open industry standards, making it interoperable with

hundreds of standards-based applications out-of-the-box. Therefore it can be leveraged

across other applications including Webbrowsers, e-mail and VPN clients to ensure

maximum return on investment. It also provides the option to store credentials in Web

browsers or on smart cards and USB tokens. For example, RSA digital certificates can be

combined with the SecurID 800 hybrid authenticator to consolidate multiple credentials

on a single device, simplifying the end user experience. Additional components of the

RSA Digital Certificate Solution include RSA Registration Manager, RSA Validation

Manager, RSA Key Recovery Module and RSA Root Signing Services.

RSA, the RSA logo, EMC2, EMC and where information lives are registered trademarks or trademarks of EMC

Corporation in the United States and other countries. All other trademarks used herein are the property of their

respective owners. ©2011 EMC Corporation. All rights reserved. Published in the USA.

DECTREE WP 0711

About RSA

RSA is the premier provider of security, risk and compliance solutions, helping the

world’s leading organizations succeed by solving their most complex and sensitive

security challenges. These challenges include managing organizational risk,

safeguarding mobile access and collaboration, proving compliance, and securing

virtual and cloud environments.

Combining business-critical controls in identity assurance, data loss prevention,

encryption and tokenization, fraud protection and SIEM with industry leading eGRC

capabilities and consulting services, RSA brings trust and visibility to millions of user

identities, the transactions that they perform and the data that is generated.

www.rsa.com

rsa decision tree wp 0711

Documents